Threat Hunting > [T2]: Exploring Kibana Concepts and Filtering Data

In this lesson, we will explore various Kibana concepts, including the Discover tab, Kibana Query Language (KQL), and filtering. These concepts will help you effectively analyze and visualize data within the Elastic Stack.

 

Discover Tab

The Discover tab in Kibana allows you to explore your indexed data, search for specific events or patterns, and visualize the results. It is a powerful tool for analyzing data and identifying trends or anomalies.

To access the Discover tab:

  1. Open Kibana at https://127.0.0.1:5601.
  2. In the left-hand menu, click on the "Discover" tab.
  3. Choose a data view, such as logs-*, to start exploring the data.

Kibana Query Language (KQL)

Kibana Query Language (KQL) is a simple and intuitive syntax that allows you to search, filter, and analyze data in Kibana. KQL supports autocomplete, making it easy to build queries and refine your search criteria.

To use KQL in the Discover tab:

  1. Type your query into the search bar at the top of the Discover tab.
  2. Select the time window of your search (choose Last 15 minutes).
  3. Press Enter to execute the query and display the results.

For example, to search for events related to the ping command, you can type ping in the search bar and press Enter.

 

Filtering Data in Kibana

Filtering is an essential aspect of working with data in Kibana. It allows you to narrow down your search results and focus on specific events or patterns.

To apply filters in Kibana:

  1. In the Discover tab, click on the "Add filter" button next to the search bar.
  2. Choose a field and a condition, then enter a value for the filter.
  3. Click "Save" to apply the filter to your search results.

For example, to filter for events with event.action equal to exec, you can create a filter with the following settings:

  • Field: event.action
  • Condition: is
  • Value: exec

 

In the next lesson, we will discuss how to create and customize dashboards and data visualizations using Kibana.

 

External references:

← Prev Dashboard Next →